OpenAI's Agent Chained Decade-Old DoS Attacks to Crash Web Servers in Seconds
Researchers say a single client can exhaust 32GB of memory in about 20 seconds on some servers.
- Earlier this week, cybersecurity researchers at Calif disclosed a new denial-of-service technique called HTTP/2 Bomb, discovered using OpenAI's Codex software agent, that can render vulnerable web servers inaccessible in seconds.
- The attack chains two existing vulnerabilities: the HPACK compression bomb and Slowloris-style flow-control stalling, tricking servers into reserving memory while sending minimal data that exhausts system resources.
- Using a home computer on a 100 Mbps connection, a single client can force a server crash in roughly 20 seconds, affecting upwards of 880,000 websites supporting HTTP/2 configurations.
- While Nginx and Apache HTTP Server have issued patches, Microsoft IIS and Cloudflare Pingora remain vulnerable; researchers recommend disabling HTTP/2 or enforcing header caps for protection.
- Proof-of-Concept exploit scripts are available on GitHub with a warning from researchers: "Please don't point these at infrastructure you don't own." Luong will present full technical details at the Real World AI Security conference later this month.
12 Articles
12 Articles
OpenAI's agent chained decade-old DoS attacks to crash web servers in seconds
The next threat your server faces may have been helped along by a bot. OpenAI's Codex agent helped uncover a remote denial-of-service (DoS) exploit that can be launched from a single machine to render vulnerable web servers inaccessible in seconds, according to Calif security researchers. The attack works on default HTTP/2 configurations of major web servers including nginx, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora. As of…
OpenAI Codex Helps Expose Decades Old HTTP/2 Bomb Server Attack
OpenAI Codex helped security researchers expose HTTP/2 Bomb, a decades old server-memory attack; nginx, Apache, and Envoy already have fixes but IIS and Pingora stay unresolved. The post OpenAI Codex Helps Expose Decades Old HTTP/2 Bomb Server Attack appeared first on WinBuzzer.
The newly discovered vulnerability HTTP/2 Bomb allows Denial-of-Service attacks on widespread web servers such as NGINX, Apache, IIS and Envoy. IT security company Calif has publicly documented a new vulnerability in the HTTP/2 network protocol. The vulnerability under the code name HTTP/2 Bomb allows remote Denial-of-Service attacks (DoS) on the most commonly used web servers worldwide. The affected software products include NGINX, Apache HTTPD…
HTTP/2’s speed abused to slow webserver performance in DoS attack
HTTP/2 was introduced in 2015 to increase the speed of HTTP by allowing multiple simultaneous connections, and is gradually being superceded by HTTP/3, which is built on the new QUIC encrypted transport protocol. The problem uncovered by Calif lies in how affected servers handle HTTP/2 header compression and request processing, allowing an attacker to trigger disproportionate memory consumption. “The attack chained two techniques known to humans…
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
